On April 23, AFME and Murex held a workshop discussion to explore how incoming cyber testing requirements, combining both banks and third-party providers in a single exercise, could work in practice.
With the application of the Digital Operational Resilience Act (DORA) from January 2025 fast approaching, the innovations in operational risk management are increasingly coming under the spotlight. AFME’s latest industry workshop focused on one innovation which has generated a lot of interest: namely pooled resilience testing, capturing both a number of financial entities and third-party providers.
Pooled testing has been specifically proposed as part of a financial entity’s Threat Led Penetration Testing (TLPT), a simulation-based exercise to assess in real-time how firms would respond to, manage and recover from a malicious actor. TLPT is based on the existing EU TIBER framework, and under DORA it will be required on a three-year cycle.
The workshop, which had over 90 participants from AFME’s membership, was convened in recognition that the decision to include a wider range of participants within one exercise, represents a significant expansion in TLPT scope.
To include the perspective of a third-party ICT provider in their analysis, AFME invited Jean Al Zreibi, the Governance, Risk and Compliance Manager of the SaaS Service at Murex.
During the session, Jean shared how Murex currently is conducting the Pooled TLPT to reinforce the security of the MX.3 SaaS solution, some of the upsides of this practice today, and the uncertainties in DORA that remain to be clarified.
Ensuring that TLPT is a learning opportunity, rather than tick box exercise
At the beginning of the discussion, it was reiterated that AFME has long supported TLPT as a valuable tool which can provide in-depth and accurate insights into how a firm would, in practice, enact its various risk management policies and safeguards. Given the scale of resourcing to undertake such an exercise, it is critical that maximum value is extracted. It was agreed this is best ensured in an environment which is open, challenging and focused on future enhancements.
Such transparency can be challenging during an exercise involving potential competitors and suppliers. Firms will naturally be hesitant for any perceived deficiencies in their cyber security practices and controls to be visible to other market players or subject to collective examination. The temptation will be to refrain to shallow or cursory exercises, where the firm is confident of receiving a clean bill of health. Several participants also flagged there would need to be strict safeguards to ensure that restricted or sensitive information is beyond scope or securely handled. Failure to do so would likely breach existing NDAs or other contractual commitments, yet a heavy-handed approach could see firms resort to a checklist set of disclosures.
Identifying a scenario which has both commonality and sufficient depth
The discussion also underscored that previous experiences have shown the benefit of focusing a TLPT scenario on a smaller set of critical or important functions. This, it was agreed, enables the financial entity to go into greater depth on how these parts of the business would be impacted and identify detailed findings for future development.
The challenge a number of attendees identified was how to ensure a combined scenario would retain this depth, while remaining relevant to a wider number of participants. The role of the provider may be key in finding common ground, but doing so without creating a circular set of reviews and approvals across each of the financial entities will be a challenge. One suggestion centred on the idea that regulators should identify commonalities from financial entities’ individual testing and subsequently corral them together. However, it remains uncertain whether there is the resourcing capability.
Similarly, the crucial part of any TLPT is the lessons learnt and recommendations for future action. This is key to ensuring that the exercise is a learning opportunity with tangible benefits. Yet, there was consensus during the workshop that it is currently unclear how authorities intend to identify a series of lessons that can be applied across multiple parties without exposing sensitive information or becoming overly vague and high-level.
Unlocking benefits from Pooled testing
Nevertheless, there was a degree of optimism that careful planning, in conjunction with the industry, could help unlock a range of benefits from pooled testing. If presented and implemented effectively, the incoming requirements could ensure that duplicative testing across the financial market is unified into a single exercise, with the associated costs shared. It could also enable financial entities to leverage the technical expertise of their third-party providers.
What happens next?
The discussion concluded by noting that a lot of uncertainty remains surrounding the practical implementation of pooled testing . This is why, as part of our advocacy efforts, AFME has been calling for the authorities to develop standalone operational guidance before initiating any roll-out of these exercises.
In the remaining months before DORA comes into effect, AFME will relay the views raised by members as we continue to work with the EU supervisory authorities to develop and promote operational guidance to provide clarity on these issues.
AFME’s Technology &Operations team remains on hand to discuss any of these issues in further depth, or to provide an update on the organisation’s activity in this field. Please contact [email protected] for further information.